Apple already shipped attestation on the web, and we barely noticed

dantheclamman@lemmy.world to Technology@lemmy.world – 144 points –
Apple already shipped attestation on the web, and we barely noticed
httptoolkit.com
51

I use Firefox. If I’m on the web and a site does not work with Firefox, I leave that site.

Do they think somehow people like me will change our minds? And more to the point, do they think website authors will want to limit their own audience for the benefit of some company?

Unless I’m misunderstanding this, maybe I need an ELI5

People like you and me are unfortunately a small minority. Most people go along with it, so they set about steamrolling over us through coercion or just not doing business with us

Will you change your bank when it refuses to work with Firefox? What if most other banks do the same?

This is how things are in Android now – online banking, online games and even subscription media services are mostly unavailable to those who would like to use non-official OS.

website authors will want to limit their own audience for the benefit of some company?

Many websites already refuse to work with anything not-chrome-based – so website authors often don't care.

Banks see that as 'security', so they are ok with 'losing' a small percentage of customers who want 'insecure' devices. In fact they would hardly lose anything, as their customers usually depend more on the bank, than the bank on any particular customer.

For media providers, that is another 'anti-piracy' measure (DRM) – they will also happily sacrifice Linux users, as insignificant fraction of users, probably less then 'actual pirates' on Windows or Mac. Netflix already won't stream in high quality to Firefox on Linux.

For online game providers this will be easy anti-cheat measure – they will also not care about that insignificant fraction of user.

Each of those service providers would loose maybe 5% of their user base (probably less… as most users would eventually accommodate), but the affected users would use major number of services they care about.

I see many people on Lenny say “blah blah doesn’t work on Firefox” and have yet to see an example. I’ve been using Firefox since the early or mid 2000s (started when they added extensions) and I SCARCELY have had issues. Only one I can remember, a credit card web site like 11 years ago.

After a big Firefox update last year, Chase kept telling me they wouldn't allow acces via "outdated" web browsers, then redirected me to download another browser which included Firefox. This went on for several months until Chase finally updated themselves. During that time, if I wanted to access my account I had to use a different browser.

Yes, this was temporary, but another issue I have is Firefox on my Samsung phone. I am not tech savvy; I do my best to protect myself, but past the basic protections I am overwhelmed.

I would LOVE to use Firefox on my phone instead of Chrome, but every time I have tried, Firefox has been slow as fuck as compared to Chrome; slow enough to be practically unusable. I never found a solution and ended up going back to chrome while trying to adjust all my phone/browser settings to request as much respect and privacy as possible.

For what it's worth, I've been ride or die for Firefox, and I use Chase's online banking for years and it never blocked me. I'm not sure what caused the issue for you, but I don't think that was the typical experience

Most likely user error. I’ve been doing tech support for nearly 30 years and 99% of the time when something “doesn’t work” or is “broken,” it’s user error. 99.9% not to suggest all users are stupid, sometimes it’s not an easy fix, not an obvious issue, but nevertheless, the tech works perfectly when used properly and maintained.

YIs that factoring in using ublock origin on mobile Firefox? Because surely that speeds things up?

I, too, have been using Firefox for decades and can think of no sites that have any problem other than very very old sites I used that were IE-only, built with Frontpage, and that was also early 2000-ish. I think most of the complaints about Firefox are nonsense and explainable as user based problems rather than tech.

do they think somehow people like me will change our minds?

Yeah. I use Firefox too, and when a site doesn’t work, I open it in chromium

In 20 years I haven’t had a website not work in Firefox. With the exception of some that had nothing to do with compatibility and was because of being stuck committed to frontpage or some shit where it’s easy for a moron to do but at the cost of being married to MS applications. Whole other story.

Apple sold this feature as an alternative to captchas.

In order to sign up for Lemmy, I had to pass a captcha check to prove I'm human. Now that bots can trivially be better than any human at captchas we have to find something else. Is attestation a good option? We can debate that, but it's definitely on the table. And I expect Firefox will implement it (even if only via a plugin) if it becomes widely adopted.

The fact that this was done relatively in secrecy really bothers me. I mean it really tweaks my tail.

It wasn't super secret, it's just that the HTTP protocol standard is getting quite large. HTTP standard site.

Same with HTML, the standard for HTML 5 is just so massive no one person can know all of it. It is completely unknowable to a single person at this point (without referring back to the standard).

The protocols and standards underpinning the Web have become over engineered in my opinion. I'm sure it was with "best intention" but I recommend gemini protocol at this point for "fun" and http for "business". Corporations owns HTTP at this point and there's little that can be done to change it. It has become the modern Adobe flash with the veneer of openness to satiate the causal observer.

But that's my two cents.

I consider myself a rather avid technology reader and try to stay up on the trends and this one completely escaped me, I am sorry to say.

It was part of the same keynote speech where Apple announced their virtual reality headset... so the media largely didn't cover it.

But Apple absolutely did announce it, and as loudly as they possibly could with a high profile executive standing on stage before a live (online live, but still live) audience of millions of people and every tech journalist in the world to demo the feature. There's also extensive documentation and whitepapers covering how the crypto works, and I expect it was discussed on public mailing lists ahead of time (I don't follow those mailing lists - they're too busy, so not sure about that one).

Is there a way to address the problems outlined by the proponents of these technologies without placing too much power in anti-democratic and anti-user organizations like Apple and Google?

But the problem they try to solve is: user's device is not under full control of the service provider. The only solution to that problem is to take away the control from the device owner. You cannot have both.

Which problems? As far as I can tell this solves zero problems for users of websites. Wanting to replace captchas with this is just another arms race that normal users will suffer from.

Well, captchas seem likely to become useless in the near future, and are currently a key feature used to prevent unwanted bot activity on many if not most websites. What can replace them?

Would this technology work better if there were a coalition of attesters that granted access to newer and smaller browsers and os makers?

The point of the attestation is to show that given browser won't do some things. If the browser is open source on open source operating system the user can modify it in any way he wants, so not such attestation can be given to such browser.

Even if we are ok with attested browser being official builds never modified by users, then user could still fake it if they have full control of their operating system. So the operating system must also be attested, so it cannot be freely modified. And what is a point of open source then? You can see, but you cannot touch?

Nothing. Nothing should replace them.

You, as a website, unconditionally have zero right to know anything about what a user is doing on their computer.

Block behavior, not devices.

How can the attester attest that a bot is not using a valid browser on a valid os?

It’s up to the attester to decide. Maybe it needs to run some verifications every so often. There’s nothing preventing it from refusing you attestation too, if your device is out of date, or is too old and won’t receive future updates

Can someone eli5 “shipped attestation”?

  • Alice gives Bob a Secret Note.
  • Alice and Bob agree on a way for Bob to scramble the Secret Note so that Alice can unscramble it.
  • Bob scrambles the Secret Note.
  • Bob gives Carol the Scrambled Secret Note.
  • Carol gives Alice the Scrambled Secret Note.
  • Alice descrambles the Scrambled Secret Note.
  • Alice tells Carol the Secret Note came from Bob.

Now, Carol trusts Alice and Alice trusts Bob. By passing this note around, Carol can trust Bob since Alice trusts Bob and she trusts Alice.

Passing the note around tells Carol (Web Server) that Bob (Web Browser) has trust from Alice (Attestation Server) and is not some imposter just claiming to be Bob.